U.S.  General  Services  Administration  (GSA) 


PRESIDENTIAL  TRANSITION  “HOT  ISSUES”  INFORMATION  PAPER 


SUBJECT:  Continuous  Diagnostics  and  Mitigation  (CDM):  impiementation 

1.  BACKGROUND: 

Continuous  Diagnostics  and  Mitigation  (CDM)  is  a Department  of  Homeland  Security  (DHS) 
sponsored,  GSA  Assisted  Acquisition  Service  (AAS)  contracted,  government  wide 
cybersecurity  program.  The  CDM  program  defends  federal  government  IT  networks  from 
cyber  security  threats  and  enhances  risk-based  decision-making  within  agencies,  and 
across  the  federal  government.  CDM  utilizes  tools  and  services  to  improve  agencies’ 
abilities  to  analyze  critical  security-related  information.  Continually  monitoring  networks  for 
flaws  and  anomalies  will  alert  network  managers  to  attacks  and  intrusions,  thereby  enabling 
faster  responses  to  fix  vulnerabilities  that  allow  attacks 

Implementation  of  Phase  1 & Phase  2 is  occurring  across  the  entire  ".gov"  domain  during 
the  transition.  CDM  is  expected  to  be  a vital  cybersecurity  initiative  going  forward,  with  GSA 
and  DHS  looking  at  how  best  to  expand  and  execute  the  contract,  and  the  next  steps  of  the 
Program  itself,  going  forward. 


a.  General  Background: 

• GSA  AAS  established  and  maintains  a $6B  Blanket  Purchase  Agreement  (BPA) 
under  Schedule  70  for  the  on-going  procurement  of  certain  cybersecurity 
endpoint  management  and  monitoring  tools  and  services,  which  have  been 
specifically  approved  by  DHS  for  deployment  as  part  of  the  CDM  Program. 

• CDM  Phase  1 Awards  were  completed  in  FY2015,  and  the  first  of  2 Option  Years 
is  being  exercised  in  the  4th  quarter  (Q4)  of  FY2016. 

• CDM  Phase  2 Awards  will  be  completed  by  Q1  of  FY2017. 

• CDM  Phase  3 Task  Orders  will  be  initiated  and  awarded  in  FY2017. 

b.  Issues: 

• 0MB  is  seeking  to  accelerate  the  progress  of  the  CDM  Phase  1 awards. 

• Agencies  holding  CDM  Tool  licenses  are  seeking  GSA  support  for  license 
renewals  to  maintain  existing  low-cost  licenses. 

• GSA  is  receiveing  0MB  and  DHS  requests  to  facilitate  state  and  local 
governments’  use  of  the  CDM  BPA. 

• The  CDM  BPA  expires  in  August  2018. 


2.  SCOPE  AND  EFFECT: 

a.  Impact  on  GSA’s  Customers: 

• CDM  Phase  1 and  Phase  2 were  deployed  throughout  government  using 
centralized  appropriation  and  centralized  management  through  DHS  and 


supported  by  GSA  AAS.  For  the  last  two  fiscal  years,  GSA  AAS  has  obligated 
over  $200M  per  year  on  behalf  of  DHS  for  executing  the  CDM  Program. 

• In  the  future,  the  approriation  is  expected  to  continue  at  the  same  level,  however 
the  funding  will  be  distributed  across  the  Departments  and  Agencies,  which 
increases  the  CDM  Program’s  reliance  on  GSA  to  manage  the  multiple 
customers  and  multiple  funding  sources  for  the  CDM  Program. 

• CDM  is  a high  visibility,  highly  resource  intensive  AAS  partnership  that  requires 
significant  resources  from  the  FedSIM  team.  Going  forward,  should  the  CDM 
mission  continue  to  expand,  and  the  partnership  with  DHS  and  AAS  continue, 
GSA  will  need  to  make  decisions  regarding  how  best  to  allocate  resources  to 
meet  the  demands  of  this  very  large,  complex  program  - while  maintaing 
customer  (DHS)  satisfaction  and  Office  of  Management  and  Budget  (0MB) 
approval. 

b.  Impact  on  the  Private  Sector  and  State  & Local  Governments: 

• While  the  CDM  BPA  has  always  been  available  to  state  and  local  governments,  it 
is  not  widely  understood  or  utilized.  0MB  and  DHS  have  requested  GSA  support 
to  increase  state  and  local  governments’  participation  in  the  CDM  Program 
through  use  of  the  BPA. 


3.  ACTION(S)  PLANNED  OR  REQUIRED: 

GSA  AAS  provides  daily  monitoring  of  contractor  actions  and  coordination  with  DHS  in  the 
Phase  1 and  Phase  2 implementation.  GSA  AAS  is  currently  pursuing  numerous  acquisition 
strategies  for  the  future  of  CDM  (the  BPA  expires  in  2018),  including  coordinating  with 
GSA’s  Integrated  Technology  Service  for  potentially  establishing  CDM  Special  Item 
Numbers  under  Schedule  70  to  simplify  purchasing  of  CDM  tools,  and  to  facilitate  state  and 
local  governments’  use  of  eBuy  for  procuring  CDM  tools. 

4.  KEY  STAKEHOLDER  INTEREST: 

The  CDM  Program  is  highly  visible  to  the  Federal  CIO,  Tony  Scott  and  to  senior  executives 
of  DHS.  The  CDM  Program  recently  underwent  an  0MB  CyberStat  Review,  to  assess  the 
effectiveness  of  the  Program.  All  actions  assigned  to  GSA  are  closed.  GSA  AAS  is 
supporting  DHS  in  working  through  remaining  action  items.  There  is  no  specific 
Congressional  interest  that  needs  to  be  addressed  at  this  time. 

5.  FISCAL  YEAR  2017/2018  BUDGET  IMPACT: 

No  specific  budget  impact  for  GSA.  FY2017  funding  for  most  aspects  of  CDM  is 
appropriated  directly  to  DHS.  Starting  in  FY2018  funding  for  the  CDM  Program  will  be 
distributed  to  agencies  (meaning  that  GSA  IT,  as  an  agency  that  is  required  to  implement 
CDM  tools,  will  have  to  make  strategic  decisions  in  how  that  office  manages  it’s  own 
budget). 


